Account Elevated to New Role

Back


Id	c1c66f0b-5531-4a3e-a619-9d2f770ef730
Rulename	Account Elevated to New Role
Description	Detects an account that is elevated to a new role where that account has not had that role in the last 14 days. Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
Severity	Medium
Tactics	Persistence
Techniques	T1078.004
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	1d
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/AccountElevatedtoNewRole.yaml
Version	1.0.1
Arm template	c1c66f0b-5531-4a3e-a619-9d2f770ef730.json

KQL

AuditLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where OperationName =~ "Add member to role completed (PIM activation)"
  | where Result =~ "success"
  | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)
  | extend displayName = tostring(TargetResources[0].displayName)
  | extend displayName2 = tostring(TargetResources[3].displayName)
  | extend ElevatedRole = iif(displayName =~ "Member", displayName2, displayName)
  | join kind = rightanti (AuditLogs
  | where TimeGenerated > ago(1d)
  | where OperationName =~ "Add member to role completed (PIM activation)"
  | where Result =~ "success"
  | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)
  | extend displayName = tostring(TargetResources[0].displayName)
  | extend displayName2 = tostring(TargetResources[3].displayName)
  | extend ElevatedRole = iif(displayName =~ "Member", displayName2, displayName)
  | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser
  | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy

YAML

queryPeriod: 14d
entityMappings:
- fieldMappings:
  - columnName: ElevatedUser
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: ElevatedBy
    identifier: FullName
  entityType: Account
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/AccountElevatedtoNewRole.yaml
tactics:
- Persistence
query: |
  AuditLogs
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where OperationName =~ "Add member to role completed (PIM activation)"
    | where Result =~ "success"
    | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)
    | extend displayName = tostring(TargetResources[0].displayName)
    | extend displayName2 = tostring(TargetResources[3].displayName)
    | extend ElevatedRole = iif(displayName =~ "Member", displayName2, displayName)
    | join kind = rightanti (AuditLogs
    | where TimeGenerated > ago(1d)
    | where OperationName =~ "Add member to role completed (PIM activation)"
    | where Result =~ "success"
    | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)
    | extend displayName = tostring(TargetResources[0].displayName)
    | extend displayName2 = tostring(TargetResources[3].displayName)
    | extend ElevatedRole = iif(displayName =~ "Member", displayName2, displayName)
    | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser
    | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy  
description: |
  'Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.
    Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
queryFrequency: 1d
id: c1c66f0b-5531-4a3e-a619-9d2f770ef730
tags:
- AADSecOpsGuide
relevantTechniques:
- T1078.004
severity: Medium
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
name: Account Elevated to New Role

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c1c66f0b-5531-4a3e-a619-9d2f770ef730')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c1c66f0b-5531-4a3e-a619-9d2f770ef730')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Account Elevated to New Role",
        "description": "'Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\n  Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where OperationName =~ \"Add member to role completed (PIM activation)\"\n  | where Result =~ \"success\"\n  | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\n  | extend displayName = tostring(TargetResources[0].displayName)\n  | extend displayName2 = tostring(TargetResources[3].displayName)\n  | extend ElevatedRole = iif(displayName =~ \"Member\", displayName2, displayName)\n  | join kind = rightanti (AuditLogs\n  | where TimeGenerated > ago(1d)\n  | where OperationName =~ \"Add member to role completed (PIM activation)\"\n  | where Result =~ \"success\"\n  | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\n  | extend displayName = tostring(TargetResources[0].displayName)\n  | extend displayName2 = tostring(TargetResources[3].displayName)\n  | extend ElevatedRole = iif(displayName =~ \"Member\", displayName2, displayName)\n  | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\n  | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "c1c66f0b-5531-4a3e-a619-9d2f770ef730",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "ElevatedUser"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "ElevatedBy"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/AccountElevatedtoNewRole.yaml",
        "templateVersion": "1.0.1",
        "tags": [
          "AADSecOpsGuide"
        ]
      }
    }
  ]
}